Pentagon Continues Push Toward Cloud, Automated Security

There are two things that Defense Department Chief Information Officer Terry Halvorsen wants to change: The pace at which the Defense Department adopts cloud computing and the level of automation in today’s cyber defenses.

Both are easier said than done, but not impossible. And Halvorsen is optimistic that the Pentagon can begin making real progress on both fronts during the coming months.

When it comes to transitioning to cloud computing, the Defense Department is “pretty much in line with where the Fortune 50 are,” Halvorsen said, speaking Sept. 15 during a conference call with reporters. “If you look at the Fortune 50, they don’t put a lot of their corporate data yet in…anything but private clouds. They’re going through the same process we are about what stuff should move into these hybrid types of clouds,” he said, referring to the 50 largest companies in the nation as ranked by Fortune Magazine.

“We’re all trying to find what is going to be that hybrid sweet spot and how much do you put out there,” Halvorsen said. “What we’re all trying to do is to get it as close to that pure commercial price point as we can while protecting our security, our mission and, I would tell you, our perception issues.”

To date, that process has been slow and arduous, hindered primarily by cultural obstacles and security concerns. But in the next six months to a year, Halvorsen said he expects to see “blocks of hybrid [clouds] forming up,” potentially around logistics and parts supply data.

Rob Vietmeyer, the Defense Department’s cloud portfoloio lead, said current efforts are focusing on common services. “What we found is that when we made these initial steps into the commercial cloud environment, a lot of the foundational capabilities aren’t there,” Vietmeyer said. “So we’re looking at how do we extend those platform services that exist in the department…into the commercial cloud environment.”

The first step involves determining what kinds of data can be moved to a hybrid cloud environment, he said. At the enterprise level, Vietmeyer said infrastructure as a service and office automation are areas that are under active study.

Cybersecurity Automation

Another area under active study is automating cybersecurity defenses. Halvorsen acknowledged the department is working closely with Silicon Valley-based IT firms to identify and test automated tools that can scale to meet the needs of an organization as large as DOD.

“We want to look at tools that will help us automate the cyber basics,” Halvorsen said. “At a certain point, I want to be able to have some cyber defenses completely automated. I think in the end it is the only way we will keep up.”

Richard Hale, the department’s deputy CIO for cybersecurity said the Pentagon has been pushing its Silicon Valley research and development partners to find new end-point security technologies. “There’s an explosion of innovation there, around hardening, around attack detection, around containment, [and] around automation,” Hale said. “We’re interested in analytics, and we’re still interested in the problem of zero-day attacks and how we block them more effectively, which might not be at the initial infection but somewhere in the attack lifecycle.”

Under Halvorsen’s leadership, the department has become tougher on subordinate commands and major programs of record that have not kept pace with emerging cybersecurity requirements. Earlier this year, the department began issuing cybersecurity guidebooks for program acquisition officials and publicly announced it would be holding program officials to account for cybersecurity gaps that remain unaddressed in systems — going so far as to threaten to kick units off the DOD network until the security issues were fixed.

Responding directly to a question from MeriTalk, Halvorsen would not say what programs may or may not have been removed from Pentagon networks due to security compliance issues, but acknowledged that his office has gotten tougher across the board and is actively tracking cybersecurity compliance through component and system scorecards.

One area he started measuring was the number of system administrators who are fully PKI credentialed throughout the department. “At the start we were — I’ll be honest, we were red to yellow,” Halvorsen said. “Since we have now been tracking that scorecard, we’re now yellow to green and moving more solidly green every day.”